Equifax Does it Again [Almost]: A lesson to be learned
The Great Equifax Breach of 2017, allowed hackers to obtain sensitive information from approximately 143 million U.S. consumers. In order “to assist” victims of the attack, Equifax set up a website where people could go learn whether or not they were affected by the breach.
Around the same time, a developer, Nick Sweeting, from Full Stack, set up a phishing site (an Equifax clone) to show just how easy it is for savvy hackers to set up sites that look like their legitimate counterparts, but are actually constructed to trick users into voluntarily giving up sensitive personal information.
According to The Verge , Sweeting said:
“I made the site because Equifax made a huge mistake by using a domain that doesn’t have any trust attached to it [as opposed to hosting it on equifax.com],” Sweeting tells The Verge. “It makes it ridiculously easy for scammers to come in and build clones — they can buy up dozens of domains, and typo-squat to get people to type in their info.” Sweeting says no data will leave his page and that he “removed any risk of leaking data via network requests by redirecting them back to the user’s own computer,”
According to Sweeting, any information entered by visitors on that fake page is safe. Still, that doesn’t excuse Equifax from linking to a misspelled version of its own page – which happened, luckily for those who visited it, a harmless phishing page. Let this remind you of just how easy it is to set up a phishing site that looks exactly like the real site. According to Sweeting, it only took him about 20 minutes to clone the Equifax site.
And there’s a lesson to be learned here:
Whenever you are on a web site that asks you to input sensitive, personal information like your social security number, your street address, your credit card number(s), driver’s license number, or any other sensitive personal information, MAKE SURE YOU’RE ON THE CORRECT SITE. You can’t count on anyone else to keep you safe, you can’t count on any software program to keep you safe, you have to rely on your own good common sense. Take your time and verify before entering sensitive information on any website.
If you’re interested in learning more about this, here’s an excerpt from article from The Verge. There’s a link to the entire article at the end. Great reading.
… Full-stack developer Nick Sweeting set up the misspelled phishing site in order to expose vulnerabilities that existed in Equifax’s response page. “I made the site because Equifax made a huge mistake by using a domain that doesn’t have any trust attached to it [as opposed to hosting it on equifax.com],” Sweeting tells The Verge. “It makes it ridiculously easy for scammers to come in and build clones — they can buy up dozens of domains, and typo-squat to get people to type in their info.” Sweeting says no data will leave his page and that he “removed any risk of leaking data via network requests by redirecting them back to the user’s own computer,” so hopefully data entered on his site is relatively safe. Still, Equifax’s team linked out to his page.
Earlier this month, hackers broke into Equifax’s servers and stole 143 million people’s personal information, including their Social Security numbers. In response to the attack, Equifax set up a website — www.equifaxsecurity2017.com — for possible victims to verify whether they’re affected. Because the process involves sharing sensitive information, consumers have to trust they’re entering their data in the right place, which can be tricky because the breach-recovery site itself isn’t part of equifax.com. If users end up on the wrong site, they could end up leaking the data they’re already concerned was stolen.
Today, Equifax ended up creating that exact situation on Twitter. In a tweet to a potential victim, the credit bureau linked to securityequifax2017.com, instead of equifaxsecurity2017.com. It was an easy mistake to make, but the result sent the user to a site with no connection to Equifax itself. Equifax deleted the tweet shortly after this article was published, but it remained live for nearly 24 hours…